Channels

Services

Google packages web apps for the desktop

As part of Chrome 22.0.1207, which was released to the browser's Development Channel on 16 July, Google's developers have added a new implementation of the packaged apps feature to the browser that allows web applications to be distributed offline more easily. In a promotional video released by the company, Google promises that these applications will "generally behave like first class apps in the operating system" and says users should not be aware that the application was built using web technologies like HTML5, CSS and JavaScript.

Under the new implementation, packaged apps may save resources locally and indeed do so by default. The application itself is also loaded from local storage, which enables it to be distributed completely offline as well. Applications developed in this way will also get more control over their own windows and receive privileges akin to native apps which allows them to access system-level resources like USB, Bluetooth and other device interfaces via new APIs provided within Chrome.

Recognising the potential security threat inherent in giving web applications additional system-level privileges, Google has given packaged apps an enhanced security model. Adding to Chrome's usual process isolation and sandboxing provision, Google enforces a Content Security Policy on these applications by default, disabling features such as inline scripts and the JavaScript eval() function to prevent packaged apps from accessing each other's resources. Developers can still use these features in what Google calls "sandboxed pages", which do not have the extended privileges of the rest of the packaged application.

Google's video on security in packaged apps

Packaged apps also implement an Android-like permissions model which requires users to explicitly sign off on the privileges each application receives. To increase the security of web content shown in the application, Google has introduced a "browser tag" to load web content in an isolated instance of Chrome embedded in the web app. This confines any insecure code loaded straight from the web to this Chrome instance, which is also sandboxed.